--- /dev/null
+From thomas@archlinux.org Tue Mar 8 11:43:32 2011
+From: Mohammed Shafi Shajakhan <mshajakhan@atheros.com>
+Date: Fri, 4 Mar 2011 23:00:30 +0100
+Subject: ath9k: Fix ath9k prevents CPU to enter C3 states
+To: Greg KH <greg@kroah.com>
+Cc: Mohammed Shafi <mshajakhan@atheros.com>, Thomas Bächler <thomas@archlinux.org>, linux-wireless@vger.kernel.org, "John W. Linville" <linville@tuxdriver.com>, Luis Rodriguez <Luis.Rodriguez@atheros.com>, Mohammed Shajakhan <Mohammed.Shajakhan@atheros.com>, stable@kernel.org
+Message-ID: <1299276030-4084-1-git-send-email-thomas@archlinux.org>
+
+
+From: Mohammed Shafi Shajakhan <mshajakhan@atheros.com>
+
+This is a backport of upstream commit 0f5cd45960173ba5b36727decbb4a241cbd35ef9.
+
+The DMA latency issue is observed only in Intel pinetrail platforms
+but in the driver we had a default PM-QOS value of 55. This caused
+unnecessary power consumption and battery drain in other platforms.
+
+Remove the pm-qos thing in the driver code and address the throughput
+issue in Intel pinetrail platfroms in user space using any one of
+the scripts in below links:
+
+http://www.kernel.org/pub/linux/kernel/people/mcgrof/scripts/cpudmalatency.c
+http://johannes.sipsolutions.net/files/netlatency.c.txt
+
+More details can be found in the following bugzilla link:
+
+https://bugzilla.kernel.org/show_bug.cgi?id=27532
+
+Signed-off-by: Thomas Bächler <thomas@archlinux.org>
+Acked-by: Mohammed Shafi Shajakhan <mshajakhan@atheros.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/ath/ath9k/ath9k.h | 3 ---
+ drivers/net/wireless/ath/ath9k/init.c | 4 ----
+ drivers/net/wireless/ath/ath9k/main.c | 4 ----
+ 3 files changed, 11 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath9k/ath9k.h
++++ b/drivers/net/wireless/ath/ath9k/ath9k.h
+@@ -21,7 +21,6 @@
+ #include <linux/device.h>
+ #include <linux/leds.h>
+ #include <linux/completion.h>
+-#include <linux/pm_qos_params.h>
+
+ #include "debug.h"
+ #include "common.h"
+@@ -647,8 +646,6 @@ struct ath_softc {
+ struct ath_descdma txsdma;
+
+ struct ath_ant_comb ant_comb;
+-
+- struct pm_qos_request_list pm_qos_req;
+ };
+
+ struct ath_wiphy {
+--- a/drivers/net/wireless/ath/ath9k/init.c
++++ b/drivers/net/wireless/ath/ath9k/init.c
+@@ -758,9 +758,6 @@ int ath9k_init_device(u16 devid, struct
+ ath_init_leds(sc);
+ ath_start_rfkill_poll(sc);
+
+- pm_qos_add_request(&sc->pm_qos_req, PM_QOS_CPU_DMA_LATENCY,
+- PM_QOS_DEFAULT_VALUE);
+-
+ return 0;
+
+ error_world:
+@@ -829,7 +826,6 @@ void ath9k_deinit_device(struct ath_soft
+ }
+
+ ieee80211_unregister_hw(hw);
+- pm_qos_remove_request(&sc->pm_qos_req);
+ ath_rx_cleanup(sc);
+ ath_tx_cleanup(sc);
+ ath9k_deinit_softc(sc);
+--- a/drivers/net/wireless/ath/ath9k/main.c
++++ b/drivers/net/wireless/ath/ath9k/main.c
+@@ -1245,8 +1245,6 @@ static int ath9k_start(struct ieee80211_
+ ath9k_btcoex_timer_resume(sc);
+ }
+
+- pm_qos_update_request(&sc->pm_qos_req, 55);
+-
+ mutex_unlock:
+ mutex_unlock(&sc->mutex);
+
+@@ -1425,8 +1423,6 @@ static void ath9k_stop(struct ieee80211_
+
+ sc->sc_flags |= SC_OP_INVALID;
+
+- pm_qos_update_request(&sc->pm_qos_req, PM_QOS_DEFAULT_VALUE);
+-
+ mutex_unlock(&sc->mutex);
+
+ ath_print(common, ATH_DBG_CONFIG, "Driver halt\n");
--- /dev/null
+From a124339ad28389093ed15eca990d39c51c5736cc Mon Sep 17 00:00:00 2001
+From: Don Skidmore <donald.c.skidmore@intel.com>
+Date: Tue, 18 Jan 2011 22:53:47 +0000
+Subject: ixgbe: fix for 82599 erratum on Header Splitting
+
+From: Don Skidmore <donald.c.skidmore@intel.com>
+
+commit a124339ad28389093ed15eca990d39c51c5736cc upstream.
+
+We have found a hardware erratum on 82599 hardware that can lead to
+unpredictable behavior when Header Splitting mode is enabled. So
+we are no longer enabling this feature on affected hardware.
+
+Please see the 82599 Specification Update for more information.
+
+Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
+Tested-by: Stephen Ko <stephen.s.ko@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/ixgbe/ixgbe_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/ixgbe/ixgbe_main.c
++++ b/drivers/net/ixgbe/ixgbe_main.c
+@@ -2923,6 +2923,10 @@ static void ixgbe_set_rx_buffer_len(stru
+ if (hw->mac.type == ixgbe_mac_82599EB)
+ adapter->flags &= ~IXGBE_FLAG_RX_PS_ENABLED;
+
++ /* Disable packet split due to 82599 erratum #45 */
++ if (hw->mac.type == ixgbe_mac_82599EB)
++ adapter->flags &= ~IXGBE_FLAG_RX_PS_ENABLED;
++
+ /* Set the RX buffer length according to the mode */
+ if (adapter->flags & IXGBE_FLAG_RX_PS_ENABLED) {
+ rx_buf_len = IXGBE_RX_HDR_SIZE;
--- /dev/null
+From a3e8cc643d22d2c8ed36b9be7d9c9ca21efcf7f7 Mon Sep 17 00:00:00 2001
+From: Hugh Dickins <hughd@google.com>
+Date: Wed, 23 Feb 2011 21:39:49 -0800
+Subject: mm: fix possible cause of a page_mapped BUG
+
+From: Hugh Dickins <hughd@google.com>
+
+commit a3e8cc643d22d2c8ed36b9be7d9c9ca21efcf7f7 upstream.
+
+Robert Swiecki reported a BUG_ON(page_mapped) from a fuzzer, punching
+a hole with madvise(,, MADV_REMOVE). That path is under mutex, and
+cannot be explained by lack of serialization in unmap_mapping_range().
+
+Reviewing the code, I found one place where vm_truncate_count handling
+should have been updated, when I switched at the last minute from one
+way of managing the restart_addr to another: mremap move changes the
+virtual addresses, so it ought to adjust the restart_addr.
+
+But rather than exporting the notion of restart_addr from memory.c, or
+converting to restart_pgoff throughout, simply reset vm_truncate_count
+to 0 to force a rescan if mremap move races with preempted truncation.
+
+We have no confirmation that this fixes Robert's BUG,
+but it is a fix that's worth making anyway.
+
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Kerin Millar <kerframil@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/mremap.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/mm/mremap.c
++++ b/mm/mremap.c
+@@ -91,9 +91,7 @@ static void move_ptes(struct vm_area_str
+ */
+ mapping = vma->vm_file->f_mapping;
+ spin_lock(&mapping->i_mmap_lock);
+- if (new_vma->vm_truncate_count &&
+- new_vma->vm_truncate_count != vma->vm_truncate_count)
+- new_vma->vm_truncate_count = 0;
++ new_vma->vm_truncate_count = 0;
+ }
+
+ /*
--- /dev/null
+From 9ef0298a8e5730d9a46d640014c727f3b4152870 Mon Sep 17 00:00:00 2001
+From: Jan Engelhardt <jengelh@medozas.de>
+Date: Wed, 2 Mar 2011 12:10:13 +0100
+Subject: netfilter: nf_log: avoid oops in (un)bind with invalid nfproto values
+
+From: Jan Engelhardt <jengelh@medozas.de>
+
+commit 9ef0298a8e5730d9a46d640014c727f3b4152870 upstream.
+
+Like many other places, we have to check that the array index is
+within allowed limits, or otherwise, a kernel oops and other nastiness
+can ensue when we access memory beyond the end of the array.
+
+[ 5954.115381] BUG: unable to handle kernel paging request at 0000004000000000
+[ 5954.120014] IP: __find_logger+0x6f/0xa0
+[ 5954.123979] nf_log_bind_pf+0x2b/0x70
+[ 5954.123979] nfulnl_recv_config+0xc0/0x4a0 [nfnetlink_log]
+[ 5954.123979] nfnetlink_rcv_msg+0x12c/0x1b0 [nfnetlink]
+...
+
+The problem goes back to v2.6.30-rc1~1372~1342~31 where nf_log_bind
+was decoupled from nf_log_register.
+
+Reported-by: Miguel Di Ciurcio Filho <miguel.filho@gmail.com>,
+ via irc.freenode.net/#netfilter
+Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/nf_log.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/netfilter/nf_log.c
++++ b/net/netfilter/nf_log.c
+@@ -85,6 +85,8 @@ EXPORT_SYMBOL(nf_log_unregister);
+
+ int nf_log_bind_pf(u_int8_t pf, const struct nf_logger *logger)
+ {
++ if (pf >= ARRAY_SIZE(nf_loggers))
++ return -EINVAL;
+ mutex_lock(&nf_log_mutex);
+ if (__find_logger(pf, logger->name) == NULL) {
+ mutex_unlock(&nf_log_mutex);
+@@ -98,6 +100,8 @@ EXPORT_SYMBOL(nf_log_bind_pf);
+
+ void nf_log_unbind_pf(u_int8_t pf)
+ {
++ if (pf >= ARRAY_SIZE(nf_loggers))
++ return;
+ mutex_lock(&nf_log_mutex);
+ rcu_assign_pointer(nf_loggers[pf], NULL);
+ mutex_unlock(&nf_log_mutex);
--- /dev/null
+From e9e3d724e2145f5039b423c290ce2b2c3d8f94bc Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@tuxdriver.com>
+Date: Fri, 4 Mar 2011 19:26:03 -0500
+Subject: nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab (v3)
+
+From: Neil Horman <nhorman@tuxdriver.com>
+
+commit e9e3d724e2145f5039b423c290ce2b2c3d8f94bc upstream.
+
+The "bad_page()" page allocator sanity check was reported recently (call
+chain as follows):
+
+ bad_page+0x69/0x91
+ free_hot_cold_page+0x81/0x144
+ skb_release_data+0x5f/0x98
+ __kfree_skb+0x11/0x1a
+ tcp_ack+0x6a3/0x1868
+ tcp_rcv_established+0x7a6/0x8b9
+ tcp_v4_do_rcv+0x2a/0x2fa
+ tcp_v4_rcv+0x9a2/0x9f6
+ do_timer+0x2df/0x52c
+ ip_local_deliver+0x19d/0x263
+ ip_rcv+0x539/0x57c
+ netif_receive_skb+0x470/0x49f
+ :virtio_net:virtnet_poll+0x46b/0x5c5
+ net_rx_action+0xac/0x1b3
+ __do_softirq+0x89/0x133
+ call_softirq+0x1c/0x28
+ do_softirq+0x2c/0x7d
+ do_IRQ+0xec/0xf5
+ default_idle+0x0/0x50
+ ret_from_intr+0x0/0xa
+ default_idle+0x29/0x50
+ cpu_idle+0x95/0xb8
+ start_kernel+0x220/0x225
+ _sinittext+0x22f/0x236
+
+It occurs because an skb with a fraglist was freed from the tcp
+retransmit queue when it was acked, but a page on that fraglist had
+PG_Slab set (indicating it was allocated from the Slab allocator (which
+means the free path above can't safely free it via put_page.
+
+We tracked this back to an nfsv4 setacl operation, in which the nfs code
+attempted to fill convert the passed in buffer to an array of pages in
+__nfs4_proc_set_acl, which gets used by the skb->frags list in
+xs_sendpages. __nfs4_proc_set_acl just converts each page in the buffer
+to a page struct via virt_to_page, but the vfs allocates the buffer via
+kmalloc, meaning the PG_slab bit is set. We can't create a buffer with
+kmalloc and free it later in the tcp ack path with put_page, so we need
+to either:
+
+1) ensure that when we create the list of pages, no page struct has
+ PG_Slab set
+
+ or
+
+2) not use a page list to send this data
+
+Given that these buffers can be multiple pages and arbitrarily sized, I
+think (1) is the right way to go. I've written the below patch to
+allocate a page from the buddy allocator directly and copy the data over
+to it. This ensures that we have a put_page free-able page for every
+entry that winds up on an skb frag list, so it can be safely freed when
+the frame is acked. We do a put page on each entry after the
+rpc_call_sync call so as to drop our own reference count to the page,
+leaving only the ref count taken by tcp_sendpages. This way the data
+will be properly freed when the ack comes in
+
+Successfully tested by myself to solve the above oops.
+
+Note, as this is the result of a setacl operation that exceeded a page
+of data, I think this amounts to a local DOS triggerable by an
+uprivlidged user, so I'm CCing security on this as well.
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+CC: Trond Myklebust <Trond.Myklebust@netapp.com>
+CC: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/nfs4proc.c | 44 ++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 42 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -49,6 +49,7 @@
+ #include <linux/mount.h>
+ #include <linux/module.h>
+ #include <linux/sunrpc/bc_xprt.h>
++#include <linux/mm.h>
+
+ #include "nfs4_fs.h"
+ #include "delegation.h"
+@@ -3216,6 +3217,35 @@ static void buf_to_pages(const void *buf
+ }
+ }
+
++static int buf_to_pages_noslab(const void *buf, size_t buflen,
++ struct page **pages, unsigned int *pgbase)
++{
++ struct page *newpage, **spages;
++ int rc = 0;
++ size_t len;
++ spages = pages;
++
++ do {
++ len = min(PAGE_CACHE_SIZE, buflen);
++ newpage = alloc_page(GFP_KERNEL);
++
++ if (newpage == NULL)
++ goto unwind;
++ memcpy(page_address(newpage), buf, len);
++ buf += len;
++ buflen -= len;
++ *pages++ = newpage;
++ rc++;
++ } while (buflen != 0);
++
++ return rc;
++
++unwind:
++ for(; rc > 0; rc--)
++ __free_page(spages[rc-1]);
++ return -ENOMEM;
++}
++
+ struct nfs4_cached_acl {
+ int cached;
+ size_t len;
+@@ -3384,13 +3414,23 @@ static int __nfs4_proc_set_acl(struct in
+ .rpc_argp = &arg,
+ .rpc_resp = &res,
+ };
+- int ret;
++ int ret, i;
+
+ if (!nfs4_server_supports_acls(server))
+ return -EOPNOTSUPP;
++ i = buf_to_pages_noslab(buf, buflen, arg.acl_pages, &arg.acl_pgbase);
++ if (i < 0)
++ return i;
+ nfs_inode_return_delegation(inode);
+- buf_to_pages(buf, buflen, arg.acl_pages, &arg.acl_pgbase);
+ ret = nfs4_call_sync(server, &msg, &arg, &res, 1);
++
++ /*
++ * Free each page after tx, so the only ref left is
++ * held by the network stack
++ */
++ for (; i > 0; i--)
++ put_page(pages[i-1]);
++
+ /*
+ * Acl update can result in inode attribute update.
+ * so mark the attribute cache invalid.
--- /dev/null
+From f009918a1c1bbf8607b8aab3959876913a30193a Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@au1.ibm.com>
+Date: Mon, 28 Feb 2011 03:27:53 +0000
+Subject: RxRPC: Fix v1 keys
+
+From: Anton Blanchard <anton@au1.ibm.com>
+
+commit f009918a1c1bbf8607b8aab3959876913a30193a upstream.
+
+commit 339412841d7 (RxRPC: Allow key payloads to be passed in XDR form)
+broke klog for me. I notice the v1 key struct had a kif_version field
+added:
+
+-struct rxkad_key {
+- u16 security_index; /* RxRPC header security index */
+- u16 ticket_len; /* length of ticket[] */
+- u32 expiry; /* time at which expires */
+- u32 kvno; /* key version number */
+- u8 session_key[8]; /* DES session key */
+- u8 ticket[0]; /* the encrypted ticket */
+-};
+
++struct rxrpc_key_data_v1 {
++ u32 kif_version; /* 1 */
++ u16 security_index;
++ u16 ticket_length;
++ u32 expiry; /* time_t */
++ u32 kvno;
++ u8 session_key[8];
++ u8 ticket[0];
++};
+
+However the code in rxrpc_instantiate strips it away:
+
+ data += sizeof(kver);
+ datalen -= sizeof(kver);
+
+Removing kif_version fixes my problem.
+
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/keys/rxrpc-type.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/include/keys/rxrpc-type.h
++++ b/include/keys/rxrpc-type.h
+@@ -99,7 +99,6 @@ struct rxrpc_key_token {
+ * structure of raw payloads passed to add_key() or instantiate key
+ */
+ struct rxrpc_key_data_v1 {
+- u32 kif_version; /* 1 */
+ u16 security_index;
+ u16 ticket_length;
+ u32 expiry; /* time_t */
alsa-hda-realtek-fixup-jack-detection-to-input-subsystem.patch
alsa-hda-don-t-set-to-d3-in-cirrus-errata-init-verbs.patch
drivers-misc-bmp085.c-add-module_device_table.patch
+nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-v3.patch
+rxrpc-fix-v1-keys.patch
+ath9k-fix-ath9k-prevents-cpu-to-enter-c3-states.patch
+ixgbe-fix-for-82599-erratum-on-header-splitting.patch
+mm-fix-possible-cause-of-a-page_mapped-bug.patch
+netfilter-nf_log-avoid-oops-in-un-bind-with-invalid-nfproto-values.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
